Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Tinyauth's OIDC authorization codes are not bound to client on token exchange
Vulnerability Description
Tinyauth is an authentication and authorization server. Prior to 5.0.3, the OIDC token endpoint does not verify that the client exchanging an authorization code is the same client the code was issued to. A malicious OIDC client operator can exchange another client's authorization code using their own client credentials, obtaining tokens for users who never authorized their application. This violates RFC 6749 Section 4.1.3. This vulnerability is fixed in 5.0.3.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N
Vulnerability Type
授权机制不正确
Vulnerability Title
Tinyauth 安全漏洞
Vulnerability Description
Tinyauth是Stavros个人开发者的一个认证授权服务器。 Tinyauth 5.0.3之前版本存在安全漏洞,该漏洞源于OIDC令牌端点未验证交换授权码的客户端身份,可能导致恶意客户端操作员获取其他客户端的用户令牌。
CVSS Information
N/A
Vulnerability Type
N/A